Hotcrp
CVE-2026-23878
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document API to download any documents (PDFs, attachments) associated with any submission. The problem was patched in commit ceacd5f1476458792c44c6a993670f02c984b4a0.
AnalysisAI
HotCRP is conference review software. [CVSS 6.5 MEDIUM]
Technical ContextAI
Affects Hotcrp. HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document API to download any documents (PDFs, attachments) associated with any submission. The problem was patched in commit ceacd5f1476458792c44c6a993670f02c984b4a0.
RemediationAI
A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.
HotCRP conference review software version 3.1 has an inadequate input sanitization flaw (CVSS 9.9) that allows authentic
HotCRP conference review software versions from October 2025 through January 2026 improperly render uploaded documents i
A vulnerability was found in HotCRP. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no au
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today